I have seen some examples how to use parameters to avoid character escaping. Does using parameters is 100% safe against SQL injection?
Also, can you please give some basic queries (which are reguraly used), and how you implement the parameters?
Some websites I searched before I came here provided too complicated examples.
A basic example of a parameterized SQL query is as follows:
SqlCommand command = new SqlCommand(@"select city from users where username = @username", conn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@username";
param.Value = "abc123"
command.Parameters.Add(param);
conn is the SqlConnection that you've established.
@username is the parameter name that will be substituted when the command is executed.
abc123 is the made up username that I've put for the example.
This is obviously a made up scenario, but you get the point.
As a shorter version you can use
SqlCommand command = new SqlCommand(@"select city from users where username = @username", conn);
command.Parameters.AddWithValue("@username", "value");
.AddWithValue() method basically tells ADO.NET to guess the data type used - which it does quite well, most of the time. But sometimes, it's off - quite a bit off, at times. Therefore, I would not recommend this - it's always better to explicitly define the data type and not leave this up to guesswork by the ADO.NET runtime.....
AddWithValue that lets you pass a type.